核心要点
- 问题/背景
- VATS 关注 agent tool-use 中一个容易被忽略的安全边界:错误消息并不是普通文本,它会触发模型的纠错模式,并带有隐含权威,从而成为 prompt injection 的新入口。
- 方法/机制
- 论文提出 Vulnerability Analysis of Tool Streams,通过系统化 mutation 生成 error-path injection payloads,并在多模型上评估结构位置、语言包装和错误上下文对攻击成功率的影响。
- 结果/证据
- 正式收录价值在于它把 MCP/tool-calling 安全从输入内容扩展到 execution error loop,给出了可复用威胁模型和测试方法。对 agent safety、tool permissioning、runtime guardrails 和 secure computer-use 都有直接工程价值。
- 收录价值
- 它不是更高一级,因为它主要是攻击面和评测方法,防御闭环还不完整;但作为 error-path injection 的系统化安全论文,具备突破性收录价值。
原始摘要与中文对照
中文对照翻译
当工具失败时,智能体必须解释错误并进行自我纠正 (Liu et al., 2025; Pai et al., 2025)。因此,错误消息带有隐式权威。与标准工具输出不同,它们会激活纠正性推理,绕过正常的怀疑启发式,并要求立即采取行动。尽管先前的工作强调工具流注入是一个关键向量 (Lin et al., 2026; Maloyan & Namiot, 2026; Belkhiter et al., 2026),但没有研究分离出错误路径通道或系统地描述智能体为何服从。我们假设这种隐式权威使得错误路径注入比标准间接提示注入 (IPI) 严格更有效。随着 Model Context Protocol (MCP) 标准化了自主智能体的工具调用,它引入了一个关键的、未经审查的攻击面:错误处理循环。我们假设工具错误消息具有隐式权威,会触发纠正性推理模式,从而绕过标准安全启发式。我们引入了 VATS (Vulnerability Analysis of Tool Streams),这是一个突变驱动的框架,它系统地在七个结构和语言维度上演化对抗性有效载荷。我们对 Gemini 3.1 Pro、GPT-5.5、GLM-5.1 和 Qwen3-Coder 这四个前沿模型进行的评估表明,错误路径注入将标准间接提示注入 (IPI) 的成功率提高了三倍,在受控评估中实现了高达 100% 的依从性。我们将结构定位(在错误上下文中夹带指令)分离为所有测试模型中最有效的利用向量。尽管我们发现生产框架的防护措施可以缓解这些漏洞,但模型层固有的脆弱性对定制的智能体工作流构成了系统性风险。我们引入了 VATS (Vulnerability Analysis of Tool Streams),这是一个突变驱动的框架,用于评估错误路径注入。VATS 在七个维度(例如,语言框架、权威标记)上演化种子对抗性有效载荷,生成一个突变树,量化哪些属性驱动针对生产模式智能体的攻击成功。贡献。
原始摘要
when a tool fails, agents must interpret the error and selfcorrect (Liu et al., 2025; Pai et al., 2025). Consequently, error messages carry implicit authority. Unlike standard tool outputs, they activate corrective reasoning, bypass normal skepticism heuristics, and demand immediate action. While prior work highlights tool-stream injection as a critical vector (Lin et al., 2026; Maloyan & Namiot, 2026; Belkhiter et al., 2026), none have isolated the error-path channel or systematically characterized why agents comply. We hypothesize this implicit authority makes error-path injection strictly more effective than standard indirect prompt injection (IPI). As the Model Context Protocol (MCP) standardizes tool-calling for autonomous agents, it introduces a critical, unexamined attack surface: the error-handling loop. We hypothesize that tool error messages possess implicit authority, triggering corrective reasoning modes that bypass standard safety heuristics. We introduce VATS (Vulnerability Analysis of Tool Streams), a mutation-driven framework that systematically evolves adversarial payloads across seven structural and linguistic dimensions. Our evaluation across four frontier models, Gemini 3.1 Pro, GPT-5.5, GLM-5.1, and Qwen3-Coder, demonstrates that error-path injection triples the success rate of standard indirect prompt injection (IPI), achieving up to 100% compliance in controlled evaluations. We isolate structural positioning (sandwiching instructions within error context) as the most effective exploit vector across all tested models. While we find that production framework guardrails can mitigate these vulnerabilities, the inherent susceptibility of the model layer poses a systemic risk to bespoke agentic workflows. We introduce VATS (Vulnerability Analysis of Tool Streams), a mutation-driven framework to evaluate errorpath injection. VATS evolves seed adversarial payloads across seven dimensions (e.g., linguistic framing, authority markers), producing a mutation tree that quantifies which properties drive attack success against production-pattern agents. Contributions.